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INTEGRATED SERVICE MANAGEMENT SYSTEM 

CROSS REFERENCE TO RELATED APPLICATIONS 
This application is a continuation-in-part of U.S. Application No. 
09/841,710, by common inventors TAKESHI ISHIZAKI and SHIGERU MIYAKE, filed 
April 24, 2001, and entitled "INTEGRATED SERVICE MANAGEMENT SYSTEM". 
Application No. 09/841,710 is fully incorporated herein by reference for all purposes. 

BACKGROUND OF THE INVENTION 

The present invention relates generally to techniques for managing storage, 
and in particular to techniques for creation, operation, management, and access control of 
network-based storage services. 

Conventional network-based value-added services comprises of more than 
one service components. For example, outsourcing service of enterprise application over 
Internet involves network access services via the Internet, hosting service of Web servers 
and database servers and storage management services. Each service component may be 
provided by different service providers or may be served by one consolidated service 
provider. While certain advantages to such conventional approaches are perceived, 
opportunities for further improvement exist. For example, according to conventional 
network management technology, managing such complicated service systems, to keep 
the service up and running, can be a challenging task to the service operators. 

What is needed are improved techniques for creation, operation, 
management, and access control of network-based storage services. 

SUMMARY OF THE INVENTION 
The present invention provides techniques for creation, operation, 
management, and access control of network-based storage services. Specific 
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embodiments provide improved efficiency of the service management tasks used for 
designing, operating and accounting the robust and profitable network services, for 
example. In representative embodiments, techniques for constructing integrated network 
and storage services are provided. In a specific embodiment, the service comprises of 
5 three major service components: virtual private networks (VPN), application servers and 
storage area networks (SAN). Each of these service components has its own customer 
identification information, such as VPN identifier for VPN services, process identifier for 
application servers and logical unit number (LUN) for storage devices. 

In some specific embodiments, service customers are connected to the 
10 service provider through VPN. The VPN path that connects customer sites and the data 
center of the service provider are terminated on a VPN termination device or a VPN 
router. Within the VPN router, multiple routing processing programs or virtual routers 
(VR) run independently. The VPN router is connected to the application servers via 

^ virtual LAN (VLAN) switch. These application servers are then connected to the service 
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^ 15 provider's SAN. 

The integrated service management system collects management 
information from individual management systems corresponding to each service 
components (VPN, servers and SAN) and holds mappings or relationship information 
between resources in each service component and the customer who is allowed to use 
jjU 20 those resources. For example, VPN management system is responsible for mapping 

■KnS S 

between VPN customer and VPN path used by that customer. Similarly, server 
management systems assign a number of servers to a certain customer. Integrated service 
management systems collect this kind of mapping information between customers and 
resources within service components. An application programming interface (API), 
25 enables software developers to implement management applications using the 
functionality of the integrated service management systems. 

In a representative embodiment according to the present invention, a 
system is provided. The system comprises a connection to a virtual private network, and 
a router, which is connected to the virtual private network. The router maintains at least 
30 one virtual router for a client. The system further comprises at least one server, and a 
virtual LAN switch, which is connected to the router. The server can be apportioned into 
one or more logical partitions. The virtual LAN switch provides selectable forwarding 
for information from the router to at least one logical partition of the server. The system 



also includes at least one volume and an FC switch. The FC switch provides selectable 
interconnection between the at least one logical partitions of the server and the at least 
one volume, so that information received from a plurality of sources via the virtual 
private network is directed to a particular virtual router for each of the sources by the 
router. In some specific embodiments, a virtual private network management system 
controls operation of the router. The information is then directed to a particular one of 
the logical partitions of the server for each of the sources by the virtual LAN switch. In 
some specific embodiments, a server management system controls operation of the virtual 
LAN switch. The information is then directed to a particular volume for each of the 
sources by the FC switch. In some specific embodiments, a storage management system 
controls operation of the FC switch. 

In a representative specific embodiment, in which a virtual private network 
management system is used to control the router, the virtual private network management 
system comprises a network interface module, that receives commands from an integrated 
service management system, a service order processing module, that analyzes and 
executes the commands, updates a table of virtual private network information, and sends 
new configuration information to the router through a control module. In some specific 
embodiments, the virtual service management system further comprises a virtual private 
network table. The virtual private network table has a VPN ID that identifies a specific 
VPN, an Address 1 and an Address 2 that hold IP addresses of two end points of the 
specific VPN, a Protocol that specifies a VPN protocol that is used on the specific VPN, 
an Internet that indicates whether access to public Internet is permitted, and a VLAN ID 
that is assigned to packets received over the specific VPN. 

In another representative embodiment, an integrated service management 
system is used to control operation of other management systems. In a specific 
embodiment, the integrated service management system comprises a network interface 
module that receives requests to change configuration, a service order processing module 
that analyzes and executes requests to change configuration received by the network 
interface module, updates related table cache in a service management database, and 
sends new configuration information using the network interface module. In some 
specific embodiments, the integrated service management system further comprises a 
service configuration table that stores destination information. In select embodiments, the 
integrated service management system further comprises a server table that stores a server 
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table, said server table having a server identification, an address, a physical server 
identifier, a virtual LAN identification, a logical partition (LPAR) identification, a host 
bus adaptor (HBA) identification, an application identification, an operating system 
identifier, and a CPU information, for example. In some specific embodiments, the 
integrated service management system further comprises a storage table that stores 
storage table having a volume identifier, a port identifier, an allowed host bus adapter(s) 
(HBAs) identifier, a capacity identifier, and an access information. The integrated service 
management system further comprises a service mapping table that stores a customer 
identifier, a virtual private network identifier, a server identifier, and a volume identifier 
in some specific embodiments. In some embodiments, the integrated service 
management system further comprises a service status table that stores a customer 
identifier, a virtual private network status, a server status, and a volume status. 

In some specific embodiments, an operator console application sends a 
request command to change service configuration to the integrated management system. 
In select specific embodiments, a customer portal application sends a request command to 
change service configuration to the integrated management system. 

In another representative embodiment, a method for managing storage is 
provided. The method comprises receiving a request to change a configuration of an 
integrated storage and networking system; analyzing the request to determine a new 
configuration; updating configuration tables to reflect the new configuration; and sending 
new configuration information to at least one of a plurality of subsystem managers. The 
configuration tables may comprise a mapping between a logical partition and at least one 
of a plurality of HBAs attached thereto, for example. 

In another representative embodiment, a method for managing a 
configuration for a virtual private network is provided. The method comprises receiving 
at a subsystem manager a request to change to a new configuration for a virtual private 
network of an integrated storage and networking system; analyzing the request to 
determine a new configuration for the virtual private network of the integrated storage 
and networking system; updating configuration tables to reflect the new configuration; 
and sending commands to a virtual private network router to implement the new 
configuration. The configuration tables may comprise a mapping between a logical 
partition and at least one of a plurality of HBAs attached thereto, for example. 



In another representative embodiment, a method for managing a 
configuration for at least one of a plurality of servers is provided. The method comprises 
receiving at a subsystem manager a request to change to a new configuration for at least 
one of a plurality of servers in an integrated storage and networking system; analyzing the 
request to determine a new configuration for the at least one of a plurality of servers in 
the integrated storage and networking system; updating configuration tables to reflect the 
new configuration; and sending commands to a virtual LAN switch to implement the new 
configuration. The configuration tables may comprise a mapping between a logical 
partition and at least one of a plurality of HBAs attached thereto, for example. 

In another representative embodiment, a method for managing a 
configuration for at least one of a plurality of storage devices is provided. The method 
comprises receiving at a subsystem manager a request to change to a new configuration 
for at least one of a plurality of storage devices of an integrated storage and networking 
system; analyzing the request to determine a new configuration for the at least one of a 
plurality of storage devices of the integrated storage and networking system; updating 
configuration tables to reflect the new configuration; and sending commands to a fibre 
channel switch to implement the new configuration. The configuration tables may 
comprise a mapping between a logical partition and at least one of a plurality of HBAs 
attached thereto, for example. 

In another representative embodiment, an apparatus is provided. The 
apparatus comprises a connection to a virtual private network; a router that is connected 
to the virtual private network. The router maintains at least one virtual router for a client 
and at least one server. The server can be apportioned into one or more logical partitions. 
The apparatus further includes a virtual LAN switch, connected to the router. The virtual 
LAN switch provides selectable forwarding for information from the router to at least one 
logical partition of the server. The apparatus also includes at least one volume and an FC 
switch. The FC switch provides selectable interconnection between the at least one 
logical partitions of the server and the at least one volume, so that information received 
from a plurality of sources via the virtual private network is directed to a particular virtual 
router for each of the sources by the router. In some specific embodiments, a virtual 
private network management system controls operation of the router. The information is 
then directed to a particular one of the logical partitions of the server for each of the 
sources by the virtual LAN switch. In some specific embodiments, a server management 



system controls operation of the virtual LAN switch. The information is then directed to 
a particular volume for each of the sources by the FC switch. In some specific 
embodiments, a storage management system controls operation of the FC switch. 

Numerous benefits are achieved by way of the present invention over 
conventional techniques. Specific embodiments according to the present invention 
provide the capability to integrate and manage customer identification information for 
each of the service components as a whole by the integrated service management systems. 
This enables the service operator to configure, monitor and manage the service on per- 
customer or per-service basis. By selecting a certain customer, the operator can focus on 
the end-to-end service from the customer site to access network, to application servers 
and storage devices pertaining to the selected customer. 

As customer identification information for each of the service components 
is automatically mapped by the integrated service management systems, in specific 
embodiments, it is not necessary for the operator of the service provider to manually 
configure each service component. 

These and other benefits are described throughout the present 
specification. A further understanding of the nature and advantages of the invention 
herein may be realized by reference to the remaining portions of the specification and the 
attached drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows the system overview of SSAS in a specific embodiment of 
the present invention. 

Fig. 2 shows the VPN management system as an example of subsystem 
management system in a specific embodiment of the present invention. 

Fig. 3 shows the Integrated Service Management System (ISMS) in a 
specific embodiment of the present invention. 

Fig. 4 shows the service configuration table in a specific embodiment of 
the present invention. 

Fig. 5 shows the VPN table 500 that resides in the VPN database 210 of 
VPN SMS 200 in a specific embodiment of the present invention. 

Fig. 6 shows the server table 600 that resides in the server database of 
server SMS in a specific embodiment of the present invention. 



Fig. 7 shows the storage table that resides in the storage database of 
storage SMS in a specific embodiment of the present invention. 

Fig. 8 shows the service mapping table that resides in the service 
management database 310 in the ISMS 300 in a specific embodiment of the present 
invention. 

Fig. 9 shows the service status table that resides in the service management 
database 3 10 in the ISMS 300 in a specific embodiment of the present invention. 

Fig. 10 shows a flowchart of representative integrated service management 
system processing in a specific embodiment of the present invention. 

Fig. 1 1 shows a flowchart of representative virtual private network service 
management system processing in a specific embodiment of the present invention. 

Fig. 12 shows a flowchart of representative server management system 
processing in a specific embodiment of the present invention. 

Fig. 13 shows a flowchart of representative storage management system 
processing in a specific embodiment of the present invention. 

Fig. 14 shows a representative system configuration using LPAR 
capability in a specific embodiment of the present invention. 

Fig. 15 shows a representative relationship between logical partitions and 
host bus adaptors (HB As) in a specific embodiment of the present invention. 

Fig. 16 shows a representative server table for managing a mapping 
between application servers, logical partitions and HBAs in a specific embodiment of the 
present invention. 

Fig. 17 shows a representative storage table useful in a specific 
embodiment of the present invention. 

DESCRIPTION OF THE SPECIFIC EMBODIMENTS 
The present invention provides techniques for creation, operation and 
management of network-based storage services. Specific embodiments provide improved 
efficiency of the service management tasks used for designing, operating and accounting 
the robust and profitable network services, for example. In representative embodiments, 
techniques for constructing integrated network and storage services are provided. In a 
specific embodiment, the service comprises of three major service components: virtual 
private networks (VPN), application servers and storage area networks (SAN). Each of 
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these service components has its own customer identification information, such as VPN 
identifier for VPN services, process identifier for application servers and logical unit 
number (LUN) for storage devices. 

In a U.S. Patent Serial No. 6,205,488, entitled "Internet protocol virtual 
5 private network realization using multi-protocol label switching tunnels," which is 
incorporated by reference herein in it entirety for all purposes, one method for 
constructing VPN over a packet-based network using multi-protocol label switching 
(MPLS) technology is described. There are also several techniques to build a virtual 
private network over public IP networks. For example, IPsec, point-to-point tunneling 
10 protocol (PPTP), and layer 2 tunneling protocol (L2TP) may be used to set up a tunneling 
path between customer-owned network equipment, such as VPN routers and firewalls. 
Other forms of VPN are a network-based VPN. An example of this type of VPN is 
described in RFC2547, "BGP/MPLS VPNs," which is incorporated by reference herein in 
its entirety for all purposes. 
15 However, a need still exists to support integration and mapping between 

VPN and application services. Further, other service components have their own service 
;|S management systems. For example, storage area network (SAN) can be managed using 

SAN management software. 
y!| According to the present invention, a plurality of services is used to 

r| 20 combine virtual private network (VPN) services, application services and storage access 



services. This service is referred to as "Secure storage access service" (SSAS) in this 
document. 

Fig. 1 shows the system overview of SSAS in a specific embodiment of 
the present invention. Although SSAS may be comprised of one or more service 

25 components, in a specific embodiment the SASS comprises of three service components, 
each of which is described below. 

Virtual private network (VPN) service provides secure network path 
between the customer site and the data center of the service provider over the shared 
public network such as the Internet. Traffic that goes through VPN path may or may not 

30 be encrypted to prevent eavesdropping in various specific embodiments. Each of the 
VPN service customers has one or more sites to be connected to the VPN. For example, 
in Fig. 1, Customer A 130 has two sites Aa 132 and Ab 134. Each VPN site is an end 



point of a VPN path. The other end point of the VPN path is on the VPN router 160, 
which resides in the data center 150 of the service provider. 

The VPN router 160 in the data center 150 aggregate multiple VPN paths, 
identify the customer by VPN ID, and direct the traffic received from the customer to the 
virtual LAN (VLAN) switch 170. Within the VPN router 160, there are multiple virtual 
router (VR) programs, each serving the different VPN customers. For example, in Fig. 1, 
the VPN paths from service customer A 130 are terminated at the virtual router A 165 in 
the VPN router 160. Similarly, the VPN paths from customer B are connected to the VR 
B. Because each VR has its own routing table and other network resources dedicated to 
the customer it serves, packets from each VPN customer are clearly separated from the 
network point of view. This enables, for example, two different customers to use the 
same overlapping IP address spaces within a private address range. 

When a VR A 165 receives packets from one of VPN path of customer A 
130, it then adds to them the VLAN tag for customer A and sends them to the VLAN 
switch. The VLAN tag is the information added to the LAN frame so that more than two 
logically independent networks can be overlaid on the same LAN segment. The more 
detailed specification of VLAN tag is defined in the IEEE 803. lq standard. The VPN 
service is one of the service components or subsystems that comprise SSAS and is 
managed by the VPN management system 210, which will be described herein below. 

Application service comprises of one or more application servers 
("Servers")- Each service customer is assigned to one or more Servers. For a larger 
service customer who requires a lot of server processing capacity such as CPU time, more 
than one server can be assigned for load balancing. On the other hand, for a smaller 
customer who doesn't use much CPU and wants to reduce the service cost, one 
application server can be shared among more than one service customers. In the latter 
case, more than one application processes may be run on the shared application server. 

In Fig. 1, customer A uses two servers S-Aa 180 and S-Ab 182 while 
customers C and D share one server S-CD 186. Each application server belongs to a 
certain VLAN. As VLAN switch 170 on the VLAN segment is configured to transfer 
VLAN-tagged packets from VPN router 160 to an appropriate server connected to the 
VLAN segment, it is not necessary for servers to know to which VLAN they belong. 

Each application server has one or more host bus adapters (HBA) that 
connect the server to a storage area network (SAN). From the SAN point of view, each 
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server is identified by its HBA address or port. In the configuration illustrated by Fig. 1, 
each server is connected to a fibre channel (FC) switch 190, which performs the 
switching functions of the SAN. Application service is one of the service components or 
subsystems that comprise SSAS and is managed by the server management system 211, 
5 which will be described herein below. 

Storage service comprises of multiple storage devices or volumes. Each 
storage volume is configured to accept accesses from a specific application server. 
Application servers and storage volumes are connected via the storage area network 
(SAN). In Fig. 1, FC switch 190, of the SAN, is used to connect servers and volumes. In 
10 order to segregate servers and volumes for different service customers, the FC switch 190 
and/or storage volumes are configured so that access to a specific storage volume is 
restricted to one or more specific servers. When incorporated into FC switches, this 
functionality is called "port zoning." When incorporated into storage devices, this 
functionality is often called "LUN security," where LUN stands for logical unit number. 
15 In Fig. 1, server S-Aa 180 and S-Ab 182 can access volume V-Aa and V- 

Ab. Server S-B 184 uses volume V-B. Server S-CD 186 gains access to volumes V-CDa 
and V-CDb. The FC switch 190 is configured to manage the storage access as described 
above. Storage service is one of the service components or subsystems that comprise 
\Q SSAS and is managed by the storage management system 212, which will be described 

20 herein below. 

■p s. 

Q Integrated service management system (ISMS) 300 is the management 

^ server and programs running on it. Integrated service management system (ISMS) 300 

communicates with the subsystem management system (SMS) that controls and manages 
each service component comprising the SSAS. The ISMS 300 includes application 
25 programming interfaces that can be used to develop application programs such as an 

operator console program. Service provider operators can communicate with ISMS 300 
by using operator console application 120. Service customers can communicate with 
ISMS 300 by using customer portal applications 125. The ISMS communicates with 
other management components such as SMS and applications through management 
30 network 115. 

Fig. 2 shows the VPN management system as an example of a subsystem 
management system in a specific embodiment of the present invention. Other subsystem 
management systems, such as server management system 201 and storage management 
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system 202, for example, may be similar to the VPN management system (VPN SMS). 
The VPN SMS 200 has a network interface module 250 that is connected to the 
management network 1 15 and used to send or receive command packet to or from the 
ISMS 300. The VPN SMS 200 also has a VPN control module 255 that is connected to 
the VPN router 160 and used to communicate with the VPN router 160 to configure the 
device. 

The information for mapping between VPN path and VLAN tags 
associated with the VPN path is stored in a VPN table 500 in a VPN database 210. The 
contents of the VPN table 500 will be described later with reference to Fig. 5. System 
operation module 230 controls the starting up and shutting down of the VPN SMS 200, 
and executes common tasks including operating system tasks. Input/output module 350 
processes the input/output events of the VPN SMS 200. 

Service order processing module 240 is responsible for processing service 
orders received by network interface module 250. When ISMS 300 sends a request 
command or a service order to VPN SMS 200 in order to change VPN configuration, the 
command packet is received by the network interface module 250 of VPN SMS 200. 
Then, the service order processing module 240 analyzes and executes the command 
request, updates the VPN table 500 and sends the new configuration information to the 
VPN router 160 through the VPN control module 255. A database access module 245 is 
used to read data from or write data into VPN database 210 as requested by other modules 
of VPN SMS 200. 

Fig. 3 shows the Integrated Service Management System (ISMS) in a 
specific embodiment of the present invention. The ISMS 300 has a network interface 
module 365 that is connected to the management network 1 15 and used to send or receive 
command packets to or from SMSs, such as VPN management system 200, for example. 
Input/output module 350 processes the input/output events of the ISMS 300. 

A service order processing module 355 is responsible for processing 
service orders received by network interface module 365. When operator console 
application 120 or customer portal application 125 sends a request command or a service 
order to ISMS 300 in order to change service configuration, the command packet is 
received by the network interface module 365 of ISMS 300. Then, the service order 
processing module 355 analyzes and executes the command request, updates related table 



12 



caches in service management database 310 and sends the new configuration information 
to the related SMSs through the network interface module 365. 

A database access module 360 is used to read data from or write data into 
the service management database 3 10 as requested by other modules of the ISMS 300. 
5 Stored within the service management database 3 10 are a number of tables, which ISMS 
300 uses to control and manage the SSAS. Service configuration table 315, service 
mapping table 325, and service status table 335 are described below. 

The ISMS 300 comprises a VPN table cache 320, server table cache 330 
and storage table cache 340, which are copies of the corresponding tables managed by 
10 SMSs respectively. For example, VPN table cache 320 is a copy of a VPN table 500 that 
is stored in VPN SMS 200 and collected by ISMS 300. The contents of VPN table, 
server table and storage table are described below. 

Fig. 4 shows the service configuration table in a specific embodiment of 
the present invention. Service configuration table 400 contains the configuration 
15 information that ISMS 300 uses to identify SMSs to communicate with. In a specific 
embodiment, ISMS 300 communicates with three subsystems: VPN subsystem, server 
subsystem, and storage subsystem. The operator of the service system enters the SMS IP 
address of each subsystem in the service configuration table 400. When starting up, 
i! ISMS 300 looks up the service configuration table 400 to establish communication 

jjfijj 20 connections to each SMS. 

Q Fig. 5 shows the VPN table 500 that resides in the VPN database 210 of 

VPN SMS 200 in a specific embodiment of the present invention. The information 
contained in VPN table 500 is collected and stored by ISMS 300. The VPN table 500 
contains the configuration information that VPN subsystem uses to configure the VPN 

25 router 160. Within the VPN table 500, "VPN ID" identifies to which VPN the site 

belongs. "Address 1" and "Address 2" hold the IP addresses of the two end points of the 
VPN path or tunnel, respectively. "Protocol" specifies which VPN protocol is used on 
the VPN path for this site. "Internet" is a Boolean value that indicates whether or not the 
site is allowed to access public Internet, possibly through a firewall. "VLAN ID" is the 

30 VLAN tag value assigned to the packets received from this site over the VPN path. 

Fig. 6 shows the server table 600 that resides in the server database of 
server SMS in a specific embodiment of the present invention. The server SMS 201 is 
similar to VPN SMS 200 in a specific embodiment. The information contained in server 
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table 600 is collected and stored by ISMS 300 as well. Server table 600 contains the 
configuration information that the server subsystem uses to configure the VLAN switch 
170. Within server table 600, "Server" identifies one of application servers within the 
server subsystem. "Address" holds the IP address of that server. "VLAN ID" is the 
5 VLAN tag value assigned to that server. "Application," "OS " and "CPU" indicate the 
application running on the server, operating systems of the server, and CPU processing 
capability such as CPU speed, respectively. 

Fig. 7 shows the storage table that resides in the storage database of 
storage SMS in a specific embodiment of the present invention. The storage SMS 202 is 
10 similar to VPN SMS 200 in a specific embodiment. The information contained in storage 
table 700is collected and stored by ISMS 300. This table contains the configuration 
information that the storage subsystem uses to configure the FC switch 190 and storage 
volumes. "Volume" identifies one of the storage volumes within the storage subsystem. 
"Port" holds the FC port address of the volume. "Server allowed" specifies those servers 
1 5 that are allowed to access this storage volume. "Capacity" and "Access" indicate the 
storage volume capacity and access control attribute of the volume, respectively. 

Fig. 8 shows the service mapping table that resides in the service 
management database 310 in the ISMS 300 in a specific embodiment of the present 
invention. ISMS 300 constructs a single service management table from multiple tables 
20 collected from the SMSs that are connected to it. This table defines the mapping between 
service customer and resources in each subsystem. For example, customer A is mapped 
to VPN with VPN ID "VR-A," servers "S-Aa" and "S-Ab" and volume "V-Aa" and "V- 
Ab." When ISMS 300 configures the VPN settings for customer A, ISMS 300 looks up 
this table, determines VPN ID corresponding to customer A and then issues a command 
25 packet to VPN SMS 200 with the VPN ID. 

In this way, ISMS 300 can accept the configuration command on a per- 
customer basis and translate it into the command request to the subsystems with 
subsystem specific identification information. 

Fig. 9 shows the service status table that resides in the service management 
30 database 3 10 in the ISMS 300 in a specific embodiment of the present invention. When 
ISMS 300 receives the fault notification from one of SMSs connected to it, it looks up the 
service mapping table 800 of Fig. 8 and determines which customer is affected by the 
fault. For example, if the fault of storage volume V-B is received, by consulting the 
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service mapping table 800, ISMS 300 determines that the fault affect the customer B. In 
this case, ISMS 300 update the service status table 900 by changing the Volume column 
of the customer B from "Normal" to "Fault." In this way, ISMS 300 can correlate the 
fault notifications from subsystems to the customer who is affected by the event. 

Fig. 10 shows a flowchart of representative integrated service management 
system processing in a specific embodiment of the present invention. As illustrated in 
Fig. 10, in a step 1002, a service order is received by the integrated service system 300. 
The service order can be created using an operator console application 120 or the 
customer portal application 125 to send a request command or a service order to the 
ISMS 300. Service orders can be used to change service configuration and the like, for 
example. The service order can be in the form of a command packet, which is received 
by the network interface module 365 of ISMS 300, for example. Then, in a step 1004, the 
command request is analyzed and executed. In a specific embodiment, service order 
processing module 355 analyzes the service order to determine the changes that need to 
be made to the subsystem configurations in order to implement the commands in the 
service order. Next, in a step 1006, the related table caches in the service management 
database 310 of the ISMS 300 are updated to reflect the new configuration. Then, in a 
step 1008, the new configuration information is sent out to the related SMSs through the 
network interface module 365, for example. 

Fig. 11 shows a flowchart of representative virtual private network service 
management system processing in a specific embodiment of the present invention. As 
illustrated in Fig. 1 1, in a step 1 102, a service order is received by the virtual private 
network management system 200. The service order is created by the ISMS 300 in order 
to implement a change in configuration responsive to receiving a service order from the 
operator console application 120 or the customer portal application 125, for example. 
The service order can be in the form of a command packet, which is received by the 
network interface module 250 of VPN SMS 200, for example. Then, in a step 1 104, the 
service order is analyzed and executed. In a specific embodiment, service order 
processing module 240 analyzes the service order to determine the changes that need to 
be made to the VPN subsystem configuration in order to implement the commands within 
the service order. Next, in a step 1 106, the VPN table 500 in the VPN database 210 of the 
VPN SMS 200 is updated to reflect the new configuration. Then, in a step 1 108, 
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instructions to implement the new configuration are sent out to the VPN router 160 
through the VPN control module 25 5 , for example. 

Fig. 12 shows a flowchart of representative server management system 
processing in a specific embodiment of the present invention. As illustrated in Fig. 12, in 
a step 1202, a service order is received by the server management system 201. The 
service order is created by the ISMS 300 in order to implement a change in configuration 
responsive to receiving a service order from the operator console application 120 or the 
customer portal application 125, for example. The service order can be in the form of a 
command packet, which is received by the network interface module of the server SMS 
201, for example. Then, in a step 1204, the service order is analyzed and executed. In a 
specific embodiment, a service order processing module of the server SMS 201 analyzes 
the service order to determine the changes that need to be made to the Server subsystem 
configuration in order to implement the commands within the service order. Next, in a 
step 1206, the server configuration table in the Server SMS 201 is updated to reflect the 
new configuration. This information is also contained in the server table cache 330 of 
ISMS 300. Then, in a step 1208, instructions to implement the new configuration are sent 
out to the VLAN switch 170 through a control module within the server SMS 201, for 
example. 

Fig. 13 shows a flowchart of representative storage management system 
processing in a specific embodiment of the present invention. As illustrated in Fig. 13, in 
a step 1302, a service order is received by the storage management system 202. The 
service order is created by the ISMS 300 in order to implement a change in configuration 
responsive to receiving a service order from the operator console application 120 or the 
customer portal application 125, for example. The service order can be in the form of a 
command packet, which is received by the network interface module of the storage SMS 
202, for example. Then, in a step 1304, the service order is analyzed and executed. In a 
specific embodiment, a service order processing module of the storage SMS 202 analyzes 
the service order to determine the changes that need to be made to the storage subsystem 
configuration in order to implement the commands within the service order. Next, in a 
step 1306, the storage configuration table in the storage SMS 202 is updated to reflect the 
new configuration. This information is also contained in the storage table cache 340 of 
the ISMS 300. Then, in a step 1308, instructions to implement the new configuration are 



16 



sent out to the FC switch 190 through a control module within the storage SMS 202, for 
example. 

LOGICAL PARTITIONING 
5 In specific embodiments of the present invention, logical partitioning 

techniques may be applied to high-end application servers to provide enhanced security 
and access control. Some servers, especially those created for high-end market, have a 
capability called logical partitioning. A logical partition is a logical entity implemented 
on a single physical computer. It is possible to have more than one logical partition on a 
10 single physical computer. If multiple logical partitions reside on a computer, each one of 
the partitions is independent from the other. Each partition can contain a different 
operating system within it. In addition, application programs that run on a certain logical 
partition would not see any other applications that run on other logical partitions. 
Therefore, from an application's point of view, a logical partition acts as if it is a single 



45 15 independent computer system even though the logical partitions reside in the same 



physical computer. 

By using logical partitioning, service providers can serve more customers 
IH with the same number of servers. This means that the service providers can save the floor 



space of data centers, which is becoming an increasingly scarce resource due to fast 

ill 

Ip 20 growing server needs. As each logical partition is logically separate, and there is no 



interaction between them, even if multiple customers share one physical server, these 
customers can preserve information confidentiality and avoid system crashes caused by 
other customers' actions. 

Fig. 14 shows a representative system configuration using LPAR 

25 capability in a specific embodiment of the present invention. In the illustrated specific 
embodiment of the present invention, application servers in SSAS have logical 
partitioning capabilities. A logical partition is identified by a combination of a physical 
server and a logical partition ID (LPAR ID). In Fig, 14, one physical server P-l (1400) 
holds three logical partitions in it: L-l (1420), L-2 (1430) and L-3 (1440). Another 

30 physical server P-2 (1410) holds a single logical partition L-l (1450). 

Fig. 15 shows a representative relationship between logical partitions and 
host bus adaptors (HBAs) in a specific embodiment of the present invention. A host bus 
adaptor (HBA) is an interface device that gives a server access to the storage area 
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network. Because it is possible for one LPAR to have more than one HBA, server SMS 
201 should be able to manage a mapping between a logical partition and one or more 
HB As attached to it. 

In the example shown in Fig. 15, a physical server P-l (1400) contains 
three logical partitions, L-l (1420), L-2 (1430) and L-3 (1440), while P-2 (1410) has a 
single logical partition, L-l (1450). Physical server P-l (1400) is equipped with four 
HBAs, H-l (1500) through H-4 (1530). Among these four HBAs, H-l (1500) and H-2 
(1510) are associated with L-l (1420), and H-3 (1520) and H-4 (1530) are associated with 
L-2 (1430) and L-3 (1440), respectively. In physical server P-2 (1410), there is only one 
logical partition, L-l (1450) and one HBA, H-5 (1540). Though it is not shown in this 
example, it is also possible for more than one logical partition to share the same HBA. 

As access security in the storage area network is controlled on a per-HBA 
basis, the storage management subsystem manages which HBA is allowed to access 
which storage volumes. 

Fig. 16 shows a representative server table for managing a mapping 
between application servers, logical partitions and HBAs in a specific embodiment of the 
present invention. As shown by Fig. 16, a server SMS 201 holds the server table 1600. 
Server table 1600 in Fig. 16 contains additional columns for storing information such as a 
physical server, a logical partition ID (LPAR ID) and an HBA ID. 

Within server table 1600, "Server" identifies one of application servers 
within the server subsystem. "Address" holds the IP address of that server. "Physical 
Server" holds the id of the physical server in which the application server is contained. 
"VLAN ID" is the VLAN tag value assigned to that server. "LPAR ID" is the unique id 
that identifies the logical partition on which the application server runs. "HBA ID" 
specifies which HBA is attached to the logical partition. The actual value of HBA ID 
depends on the protocol used in the storage area network. For example, in the Fibre 
Channel based network, the world wide name of the HBA is used as an HBA ID. 
"Application," "OS," and "CPU" indicate the application running on the server, operating 
systems of the server, and CPU processing capability such as CPU speed, respectively. 

Note that servers such as S-Aa, S-Ab and S-B, are logical notions of the 
application server. They are identified by a combination of a physical server and a logical 
partition in it. Thus, according to the configuration shown in Fig. 16, servers S-Aa, S-Ab 
and S-B are on the same physical computer P-l (1400) and their LPAR IDs are L-l 
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(1420), L-2 (1430) and L-3 (1440), respectively. Server S-CD, on the other hand, is on 
the physical computer P-2 (1420), which holds a single logical partition L-l (1450). 

Fig. 17 shows a representative storage table useful in a specific 
embodiment of the present invention. The storage table 1700 can support embodiments 
using an LPAR configuration. It contains the configuration information that a storage 
management subsystem 202 uses to configure the FC switch 190 and storage volumes 
195. Within storage table 1700, "Volume" identifies one of the storage volumes with in 
the storage subsystem. "Port" holds the FC port address of the volume. "HBA allowed" 
specifies those HBAs that are allowed to access this storage volume. "Capacity" and 
"Access" each indicates the storage volume capacity and access control attribute of the 
volume, respectively. 

The ISMS 300 collects mapping information from server SMS 201 and 
storage SMS 202, and combines the mapping information into the service mapping table 
800 of Fig. 8 and the service status table 900 of Fig. 9. The remaining operation is 
substantially similar to the processing of the specific embodiments discussed herein 
above with respect to Figs 10-13. 

The preceding has been a description of the preferred embodiment of the 
invention. It will be appreciated that deviations and modifications can be made without 
departing from the scope of the invention, which is defined by the appended claims. 



